OT:ICEFALL
OT:ICEFALL - A Decade of Insecure-by-Design Practices in OT
Forescout Vedere Labs has discovered a set of 61 vulnerabilities affecting devices from 13 operational technology (OT) vendors caused by insecure-by-design practices in OT. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. Many of these products are sold as “secure by design” or have been certified with OT security standards
61
Vulnerabilities
100+
Device Models
13
Device Manufacturers Affected
What We Found
The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.
- Among the vulnerabilities we found, 38% allow for compromise of credentials, 21% allow for firmware manipulation and 14% allow remote code execution
- 74% of affected product families have some form of security certification
- Risk management is complicated by the lack of CVEs
Concluding OT:ICEFALL – New Vulnerabilities and Insights on OT Security Design and Patching
Exactly one year after the original disclosure, we concluded OT:ICEFALL with these three insights into the state of OT product security:
- Vendors still lack a fundamental understanding of secure-by-design. Our research shows the continuing prevalence of insecure-by-design practices in OT products and highlights that existing security controls were often broken.
- Vendors often release low-quality patches. Incomplete patches can lead to the discovery of new vulnerabilities, exemplifying how a bad patch increases risk instead of decreasing it.
- Vendors must improve their security testing procedures. The shallow nature of many vulnerabilities we found in the project casts doubt on the quality of the testing these products currently undergo.
Why OT:ICEFALL Matters
With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault. These issues range from persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them. The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts.
Why the Name OT:ICEFALL?
It has been 10 years since Project Basecamp, a research project conducted by Digital Bond that investigated how critical OT devices and protocols were, to use the term they coined, “insecure by design.” Icefall is the name of the second stop on the Everest route, after Base Camp. Given the rising number of OT vulnerability disclosures, we know we have a mountain to climb to secure these devices and protocols.
How Forescout Can Help
Implementing mitigation for OT:ICEFALL requires:
- Extensive visibility on devices and communications based on deep packet inspection
- Segmentation of OT assets
- Continuous network monitoring
- ICS-specific threat and vulnerability hunting capabilities
The Forescout Platform helps you achieve all of these steps without disrupting critical business processes or requiring operational downtime. Forescout’s eyeInspect product has native monitoring capabilities for the protocols used by the affected devices and built-in detection for exploitation of OT:ICEFALL vulnerabilities. Customers should update to the latest eyeInspect release to make full use of our industrial threat library updated monthly, and ICS-specific IOC and CVEs.
Commitment to the Cybersecurity Community
As part of the OT:ICEFALL disclosure, Forescout provided the cybersecurity community with a technical report in which we discuss the 56 vulnerabilities, their impact and their mitigation in detail, as well as the insecure-by-design debate, the effect of opacity on risk management, industry-specific attack scenarios and more.
Security Advisories
- Bently Nevada ADAPT 3701/4X Series and 60M100
- CODESYS V3
- Emerson DeltaV Distributed Control System
- Emerson ControlWave
- Emerson OpenBSI
- Emerson ROC800, ROC800L and DL800
- Festo CPX-CEC-C1 and CPX-CMX
- Festo multiple products with CODESYS
- Festo multiple products
- Honeywell Safety Manager
- Honeywell Saia Burgess PG5 PCD
- Honeywell ControlEdge
- Honeywell Experion LX
- Honeywell Trend Controls Inter-Controller Protocol
- JTEKT TOYOPUC
- Motorola Solutions MOSCAD IP and ACE IP Gateways
- Motorola Solutions MDLC
- Motorola Solutions ACE1000
- Omron SYSMAC CS/CJ/CP Series and NJ/NX Series
- Phoenix Contact Classic Line Controllers
- Phoenix Contact ProConOS and MULTIPROG
- Phoenix Contact Classic Line Industrial Controllers
- Schneider Electric Modicon Controllers
- Schneider Electric Modicon Controllers 2
- Schneider Electric PowerLogic and ION
- Siemens WinCC OA
- WAGO Controllers with CODESYS 2.3
- Yokogawa STARDOM